CVE-2024-7559 is a critical vulnerability identified in the File Manager Pro plugin for WordPress, affecting all versions up to and including 8.3.7. The vulnerability arises from the mk_file_folder_manager AJAX action, which lacks proper validation of uploaded file types and fails to enforce capability checks. Consequently, authenticated users with as little as Subscriber-level privileges can upload arbitrary files to the server hosting the WordPress site. This improper control of code generation (classified under CWE-94) enables attackers to upload malicious scripts or executable files, potentially leading to remote code execution (RCE). The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N), with low attack complexity (AC:L). The scope is unchanged (S:U), meaning the impact is confined to the vulnerable component but can affect the entire site. The CVSS v3.1 base score is 8.8, indicating high severity with high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the ease of exploitation and the widespread use of WordPress and this plugin make this a significant risk. The vulnerability highlights the importance of strict input validation and proper permission checks in web applications, especially those handling file uploads.

The vulnerability allows attackers with minimal privileges to upload arbitrary files, which can lead to full remote code execution on the web server. This can compromise the confidentiality of sensitive data stored on the server, allow attackers to modify or delete data (integrity impact), and disrupt website availability through malicious payloads or server manipulation. Organizations relying on WordPress sites with the File Manager Pro plugin are at risk of site defacement, data breaches, malware distribution, and use of the compromised server as a pivot point for further attacks within their network. The attack requires only authenticated access at a low privilege level, increasing the risk from insider threats or compromised low-level accounts. The lack of known exploits in the wild does not diminish the urgency, as proof-of-concept exploits may emerge rapidly given the vulnerability's nature and high CVSS score.

Immediate mitigation involves updating the File Manager Pro plugin to a version that addresses this vulnerability once released by the vendor. Until a patch is available, organizations should restrict access to the plugin’s AJAX actions by limiting user roles that can interact with it, ideally removing Subscriber-level users or restricting their capabilities. Implement web application firewall (WAF) rules to detect and block suspicious file upload attempts targeting the mk_file_folder_manager action. Disable or remove the File Manager Pro plugin if not essential. Conduct thorough audits of user accounts to identify and remove unnecessary or suspicious low-privilege accounts. Monitor server logs for unusual file uploads or execution attempts. Employ file integrity monitoring to detect unauthorized changes. Additionally, apply the principle of least privilege to WordPress user roles and ensure that file upload directories have appropriate permissions to prevent execution of uploaded files.